b'DOE/IG-0494\n\n\n\n\n         AUDIT                                 THE\n                                   U.S. DEPARTMENT OF ENERGY\'S\n        REPORT                     CORPORATE HUMAN RESOURCE\n                                        INFORMATION SYSTEM\n\n\n\n\n                                             FEBRUARY 2001\n\n\n\n\n      U.S. DEPARTMENT OF ENERGY\n     OFFICE OF INSPECTOR GENERAL\n       OFFICE OF AUDIT SERVICES\n\x0c                                            February 13, 2001\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                 Gregory H. Friedman (Signed)\n                      Inspector General\n\nSUBJECT:              INFORMATION: Audit Report on "The U.S. Department of Energy\'s Corporate\n                      Human Resource Information System"\n\n\n\nBACKGROUND\n\nThe Department of Energy maintains integrated human resource (HR) information systems that serve about\n13,000 Federal employees and 22 personnel offices. In 1994, the Department determined that its legacy HR\ninformation system no longer met its business information needs and embarked on a project to update and/\nor replace the system. The Department initiated action to replace its legacy system with the Corporate\nHuman Resources Information System (CHRIS) in 1996.\n\nThe Department envisioned that CHRIS would be fully integrated and would serve as its primary HR\ninformation system. It expected that savings of about $9.6 million over six years would accrue as a result\nof implementing CHRIS. During 1998, the Department implemented the personnel portion of CHRIS and\namended the project to include integration of payroll functions. The training portion of CHRIS became\noperational during 1999. The currently deployed modules of the CHRIS system are based on an\nextensively modified commercial-off-the-shelf application. Through September 2000, the Department had\nspent about $11.6 million for CHRIS development.\n\nUnder existing Federal mandates, Department elements are required to follow a structured approach when\ndeveloping and implementing automated systems. This includes building effective security safeguards and\ninternal controls into the system, accurately tracking project costs, and examining opportunities to\nreengineer inefficient business processes. In addition, HR and payroll systems are subject to system design\nrequirements imposed by the Joint Financial Management Improvement Program.\n\nThe objective of our audit was to determine whether CHRIS, as currently structured, satisfies the\nDepartment\'s goals and objectives and whether Federal and Departmental requirements are being met as\npart of this process.\n\x0cRESULTS OF AUDIT\n\nDespite a number of operational improvements, CHRIS had not satisfied all Federal and Departmental\nrequirements and had not met certain Departmental goals and objectives. For example,\n\n       \xe2\x80\xa2 Several system development activities were inadequate or had not been completed;\n\n       \xe2\x80\xa2   Departmental initiatives to reengineer certain HR processes and eliminate over 50 redundant\n           systems had not been satisfied; and\n\n       \xe2\x80\xa2    CHRIS had computer security weaknesses that increased the risk of unauthorized access or\n           malicious damage to the system.\n\nThe audit disclosed that the Department did not adhere to project planning requirements for system\ndevelopment projects. As a consequence, full implementation of CHRIS is not anticipated until Fiscal Year\n2005, six years after the original forecast. Further, as currently projected, the final total cost of CHRIS will\nbe about $20.4 million or 155 percent greater than originally estimated. Because of implementation delays\nand projected cost overruns, it is unlikely that the Department will achieve the project\'s original estimate of\napproximately $9.6 million in savings over six years.\n\nIn developing and implementing CHRIS, the Department has been successful in implementing a number of\nimprovements over the previous HR system. It had, for example, reduced paperwork; improved operational\nefficiencies; and, provided both management and staff with improved reporting capability by allowing them\nto generate more timely reports and data queries. Under CHRIS, users have direct access to real-time HR\ninformation, rather than having to submit information requests for batch processing, thus providing\nmanagers with the information necessary to make sound HR decisions. The Department also developed the\nEmployee Self Service system that allowed users to view and update some personnel information online.\n\nThe Office of Inspector General supports the use of commercial off-the-shelf software applications as a cost\neffective alternative to custom software development. While we recognize that there are many challenges\nassociated with the implementation of such applications, adherence to systems development requirements\nand best practices is essential for successful deployment. The audit report included recommendations\ndesigned to aid the Department in satisfying its objective of deploying a fully integrated human resources/\npayroll system. The lessons learned from the development of a system as important as CHRIS should be\nused to avoid future problems in software development.\n\x0cMANAGEMENT REACTION\n\nManagement generally concurred with our findings and recommendations and identified a number of\ncorrective actions.\n\nAttachment\n\ncc:    Under Secretary for Nuclear Security/Administrator for Nuclear Security\n       Acting Director, Office of Security and Emergency Operations\n       Acting Chief Information Officer\n       Chief Financial Officer\n       Acting Director, Office of Management and Administration\n       Acting Director, Office of Human Resources Management\n\x0cCORPORATE HUMAN RESOURCE INFORMATION SYSTEM\n\n\n\nTABLE OF\nCONTENTS\n\n              Overview\n\n\n              Introduction and Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..1\n\n              Conclusions and Observations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..2\n\n\n              Opportunities For Project Improvement\n\n\n              Details of Findings\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n\n              Recommendations and Comment\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa610\n\n\n\n              Appendices\n\n\n              1. Scope and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..11\n\n              2. Related Office of Inspector General,\n                   General Accounting Office and Other Reports\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..13\n\n              3. Management Comments \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...15\n\x0cOverview\n\n\nINTRODUCTION AND   The Department of Energy (Department) is required to maintain\nOBJECTIVE          integrated human resource (HR) information systems that serve about\n                   13,000 employees and 22 personnel offices. In 1994, the Department\n                   determined that its legacy human resources information system no\n                   longer met its business information needs and conducted an analysis of\n                   alternatives to update and/or replace the system. The Corporate Human\n                   Resource Information System (CHRIS) project, implemented in 1996,\n                   initially sought to replace the personnel portion of the legacy\n                   centralized payroll/personnel system and over 80 separate stand-alone\n                   systems with a Year 2000 compliant, single integrated human resources\n                   management information system. Subsequently, in 1998, the project\n                   was amended to include the replacement of the legacy payroll system to\n                   create an integrated HR/payroll system.\n\n                   The Department\'s primary goal for CHRIS was that it would be fully\n                   integrated and would serve as its corporate HR information system for\n                   Federal personnel. The Department envisioned that development\n                   efforts would include a number of reengineering initiatives that would\n                   result in various business process improvements. Integrated system\n                   functions were to include personnel, training, time and attendance,\n                   payroll, and labor distribution. The Department projected savings of\n                   approximately $9.6 million over six years as a result of implementing\n                   CHRIS. Specifically, the CHRIS project was to accomplish the\n                   following objectives:\n\n                        \xe2\x80\xa2 enhance operational efficiencies,\n                        \xe2\x80\xa2 reduce paperwork,\n                        \xe2\x80\xa2 eliminate redundant information systems,\n                        \xe2\x80\xa2 eliminate non-value-added work by human resource\n                          professionals, and\n                        \xe2\x80\xa2 provide the information necessary to make sound human\n                          resource decisions.\n\n                   The currently deployed modules of the CHRIS system are based on an\n                   extensively modified commercial-off-the-shelf (COTS) application.\n                   The Department elected to phase in CHRIS by first implementing the\n                   personnel related portion of the system in 1998, which replaced the\n                   Department\'s legacy personnel system. The CHRIS training module\n                   replaced the Department\'s training system in October 1999. In its first\n                   phase, the personnel portion of the system performed a number of\n                   functions, including capturing information for personnel actions and\n                   initiating changes in employee payroll information and thrift savings\n\n\n\n\nPage 1                                                        Introduction and Objective\n\x0c                 plans. The system also processed workforce information used for\n                 reporting to the Office of Personnel Management (OPM). The system\n                 database was located at the National Energy Technology Laboratory in\n                 Morgantown, West Virginia, and was accessible to Federal employees\n                 at all Departmental sites through client/server technology. The\n                 Department invested an estimated $11.6 million through September\n                 2000 for CHRIS development.\n\n                 Generally, Departmental elements are required to follow a structured\n                 approach, consistent with Federal and Departmental requirements,\n                 when developing and implementing automated systems. They are also\n                 required to build effective security safeguards and internal controls into\n                 systems, accurately track project costs, and examine opportunities to\n                 reengineer inefficient business processes. In addition, HR and payroll\n                 systems are subject to system design requirements imposed by the Joint\n                 Financial Management Improvement Program.\n\n                 The objective of our audit was to determine whether CHRIS satisfied\n                 Federal and Departmental requirements and was meeting Departmental\n                 goals and objectives.\n\nCONCLUSION AND   Despite a number of operational improvements, CHRIS had not\nOBSERVATIONS     satisfied all Federal and Departmental requirements and had not met\n                 certain Departmental goals and objectives. For example, system\n                 development activities such as the evaluation of selected COTS\n                 products and tracking of development and implementation costs were\n                 inadequate or had not been completed. Departmental goals to\n                 reengineer certain HR processes and eliminate redundant systems had\n                 also not been satisfied. For instance, a number of processes had not\n                 been completely automated as planned, anticipated levels of system\n                 integration had not been achieved, and many redundant systems\n                 remained in use. Furthermore, CHRIS had computer security\n                 weaknesses that increased the risk of unauthorized access or malicious\n                 damage to data, programs or system software. CHRIS development\n                 and implementation efforts have been adversely affected because the\n                 Department did not adhere to project planning requirements and best\n                 practices for system development projects. As a consequence, full\n                 implementation of CHRIS is not anticipated until Fiscal Year 2005, six\n                 years after the original forecast. The total cost to fully implement\n                 CHRIS is also expected to be about $20.4 million, 155 percent greater\n                 than originally estimated. Because of implementation delays and\n                 projected cost overruns, it is unlikely that the Department will achieve\n                 the project\'s original estimate of approximately $9.6 million in savings\n                 over six years.\n\n\nPage 2                                                                  Conclusions and\n                                                                          Observations\n\x0c         To its credit, the Department has been successful in implementing a\n         number of improvements over the previous HR system that have\n         reduced paperwork and improved operational efficiencies. The\n         Department\'s development efforts have provided both management and\n         staff with improved reporting capability by allowing them to generate\n         more timely reports and data queries. Users have direct access to real-\n         time HR information, rather than having to submit information requests\n         for batch processing, thus providing managers with the information\n         necessary to make sound HR decisions. The Department had also\n         developed the Employee Self Service system that allowed users to\n         access some personnel information online. Employees can view\n         personal and employment information, identify and register for certain\n         training courses, and update some personnel data. Employees can also\n         view their earnings statement and personal benefits and make updates\n         to certain payroll data online.\n\n         As indicated in our recent report on corporate-level systems, we support\n         the deployment of such systems as a method of promoting efficiencies\n         and eliminating duplicative, site-specific information systems. While\n         we recognize that there are many challenges associated with the\n         implementation of major commercial off-the-shelf applications,\n         adherence to systems development requirements and best practices is\n         essential for successful deployment. We have proposed\n         recommendations that we believe will aid the Department in satisfying\n         its objective of deploying a fully integrated human resources/payroll\n         system.\n\n         This audit identified issues that management should consider when\n         preparing its year-end assurance memorandum on internal controls.\n\n\n\n                                                        (Signed)\n                                               Office of Inspector General\n\n\n\n\nPage 3                                                        Conclusions and\n                                                                Observations\n\x0cOpportunities for Project Improvement\n\n\nCHRIS Did Not Meet     CHRIS had not satisfied all Federal and Departmental requirements for\nCertain Requirements   corporate HR/payroll systems and had not met certain Departmental\nand Goals              goals and objectives. For example, required system development\n                       activities such as the evaluation of selected COTS products and\n                       tracking of development and implementation costs were inadequate or\n                       had not been completed. Departmental goals to reengineer certain HR\n                       processes and eliminate redundant systems had also not been satisfied.\n                       For instance, a number of processes had not been completely automated\n                       as planned, anticipated levels of system integration had not been\n                       achieved, and many redundant systems remained in use. Furthermore,\n                       CHRIS had computer security weaknesses that increased the risk of\n                       unauthorized access or malicious damage to data, programs or systems\n                       software.\n\n                                     Development and Implementation Activities\n\n                       The Department began the development of CHRIS without completely\n                       evaluating the COTS product selected for the project. While certain\n                       product evaluations were conducted, the Department did not perform a\n                       detailed analysis of the selected software\'s shortcomings or gaps in\n                       meeting its business process requirements. These analyses can be done\n                       by testing pilot software or conducting software simulations or\n                       prototype implementations and are required to ensure that the\n                       organization can accept the gaps without degrading performance.\n                       Despite the fact that the version of the selected COTS product had not\n                       been successfully implemented in other Federal settings, Departmental\n                       officials proceeded with development efforts without fully\n                       understanding the extent of modifications required for Federal sector\n                       applicability. For example, extensive and costly modifications and\n                       supplemental software were required to make the application acceptable\n                       for Departmental use. These modifications and supplemental software\n                       cost over $6 million.\n\n                       The Department also purchased the payroll module, which includes\n                       payroll, time and attendance, and labor distribution, of the same COTS\n                       product without first determining whether the product would meet its\n                       needs. Following the decision to incorporate payroll in the CHRIS\n                       project rather than outsourcing that function, the Department acquired\n                       the payroll module in 1998 to replace its legacy payroll application. The\n                       Department did not complete the required analysis of the payroll\n                       module\'s features and capabilities until approximately one year after the\n                       date of acquisition. Had the results of that study been available prior to\n                       acquisition, the Department would have learned that this COTS product\n                       would not support its payroll requirements without extensive\n\n\nPage 4                                                                       Details of Finding\n\x0c         modification. Based on that analysis, Departmental officials informed\n         us that they are considering foregoing implementation of the payroll\n         module in favor of outsourcing payroll operations to a Federal cross\n         service provider.\n\n         The Department was also unable to maintain required visibility and\n         control over the financial impact of CHRIS investment decisions\n         because it did not accurately track development and implementation\n         costs. Management officials indicated that cost data may have been\n         incomplete and were difficult to track for a number of different reasons.\n         For example, initial project funding was voluntary and sometimes\n         consisted of financial contributions and donated services from various\n         Departmental components. Furthermore, management confirmed that\n         project costs were not tracked in a centralized manner and initially\n         reflected only contract costs. Staffing resources expended in the early\n         stages of the project were not tracked. Without accurate, up-to-date\n         cost information, management could not update the project\'s cost/\n         benefit analysis and lacked the information essential for evaluating\n         whether additional CHRIS related investments were cost-effective.\n\n                              Meeting Goals and Objectives\n\n         While the Department had made progress in satisfying a number of its\n         original goals and objectives, it had not completed its initiative of\n         reengineering its HR workflow process. For example, the CHRIS\n         project had not implemented automated workflow processing such as\n         electronic routing and approval of personnel and training related\n         actions. While certain aspects of these processes had been automated,\n         manual intervention was still required in certain areas. For instance, the\n         system did not have electronic signature capability; hence, individuals\n         were required to manually certify personnel actions. Furthermore,\n         requests for personnel actions and employee training requests could not\n         be routed and tracked electronically. Moreover, individual\n         development plans were prepared manually rather than electronically.\n\n         The Department also had not achieved its goal of establishing CHRIS\n         as a Departmentwide, fully integrated HR/payroll system as specified in\n         its 1998 Integrated Project Plan. Although certain links with other\n         systems existed, CHRIS was not fully integrated with the Department\'s\n         payroll system or its other financial management systems. In addition,\n         the Department had not integrated CHRIS with collateral or supporting\n         systems, such as time and attendance, labor distribution, reduction-in-\n         force, and security clearance systems. The absence of integrated\n         systems inhibited the Department\'s ability to access, analyze and report\n\n\nPage 5                                                         Details of Finding\n\x0c         data from different and diverse systems. For instance, agency officials\n         told us that considerable time was expended compiling data from the\n         various HR related systems for reporting to OPM.\n\n         Despite CHRIS implementation, a number of redundant HR related\n         information systems remained in use.1 As indicated in our report on\n         Corporate and Stand-Alone Information Systems Development (DOE/\n         IG-0485, September 2000), and as recognized in the Department\'s study\n         of the CHRIS project\'s return on investment, various Department\n         elements continued to develop and maintain many redundant,\n         stand-alone systems even though efforts were in progress to develop\n         corporate level systems. At the time of our audit, Departmental\n         components reported that they continued to use about 50 separate\n         systems to store, retrieve, and manipulate HR data. These systems were\n         used for such purposes as maintaining training information, processing\n         personnel actions, and tracking awards and grievances. The systems\n         ranged in size from small, personal computer databases to large client/\n         server databases that serve the entire office or Departmental element.\n\n                                      Information Security\n\n         CHRIS had computer security weaknesses that increased the risk of\n         unauthorized access or malicious damage to data, programs or system\n         software. Based on discussions and tests, we identified a number of\n         implementation or design deficiencies that may render CHRIS\n         vulnerable to compromise. Specific problems and the possible\n         consequences are outlined below:\n\n               \xe2\x80\xa2   Personnel specialists, training coordinators, programmers and\n                   others with access to CHRIS were not required to change their\n                   passwords or prevented from using identical passwords and\n                   commonly used names. Because of their sensitivity,\n                   additional password weaknesses were reported directly to\n                   project management, but are not reported here. During our\n                   review, the Department informed us that they were in the\n                   process of acquiring software to strengthen password security.\n\n              \xe2\x80\xa2    Security software had not been installed or procedures\n                   established to regularly review system access and suspend\n                   access for users that had not used the system within a specified\n                   period of time.\n\n\n         1\n          The OIG, Office of Inspections, is conducting a separate inspection of Savannah\n         River\'s development of a human resource and training system that duplicated planned\n         CHRIS features.\n\nPage 6\n                                                                       Details of Finding\n\x0c                          \xe2\x80\xa2   Authorization forms were not always available to support the\n                              need for users to access sensitive data and programs. Based on\n                              a sample of user authorization forms, we determined that 8 of\n                              the 41 users (approximately 20 percent) did not have forms on\n                              file. Without formal access authorization forms, there was no\n                              assurance that access granted was consistent with established\n                              policies and procedures and that such access was needed to\n                              perform the duties and responsibilities of the user. Subsequent\n                              to our review of authorization forms, the Department moved to\n                              suspend access for approximately 200 users that did not have\n                              approved access authorizations and now specifically requires\n                              that access requests be approved in writing.\n\n                          \xe2\x80\xa2    The Department did not require background investigations on\n                               contract personnel who had access to personal and sensitive\n                               data in CHRIS.\n\n                          \xe2\x80\xa2    Access or accountability over system and backup media\n                               containing sensitive data was not adequately controlled.\n                               Accountability records were not maintained and the media\n                               were stored in an unlocked cabinet available to anyone with\n                               access to the computer facility.\n\nRequirements for      The Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996,\nApplication Systems   the Federal Financial Management Improvement Act of 1996, and\nDevelopment           related Federal guidance lay out a number of requirements and\n                      guidelines designed to help Federal agencies manage their investments\n                      in information technology (IT), including systems development. The\n                      Paperwork Reduction Act is the "umbrella" IT legislation for the\n                      Federal government, while the Clinger-Cohen Act requires that Federal\n                      agencies establish a disciplined approach to managing and investing in\n                      IT resources. The Paperwork Reduction Act, the Clinger-Cohen Act,\n                      and related Federal guidance require the head of the executive agency\n                      to design and implement a process for maximizing the value and\n                      assessing and managing the risks of IT acquisitions. In general,\n                      Departmental regulations and guidance incorporate, amplify and\n                      supplement Federal systems development requirements. Among other\n                      things, the requirements cited above and the Computer Security Act of\n                      1987 require the Federal agencies to:\n\n                           \xe2\x80\xa2 Establish a rigorous planning and investment process for\n                             managing information system projects throughout their\n                             lifecycle, that includes:\n\n\n\nPage 7                                                                  Details of Finding\n\x0c              o developing a multi-year plan to provide a roadmap for\n                 major information systems investments,\n\n              o conducting a cost/benefit analysis that demonstrates a\n                projected return on investment that is clearly equal to\n                or better than alternatives,\n\n              o reducing risk by avoiding or isolating the use of\n                custom-designed components,\n\n              o using fully tested pilots, simulations, or prototype\n                implementations before going to production,\n\n              o establishing clear measures and accountability for\n                project progress, and\n\n              o revisiting and revising the project\'s planning\n                documents and cost/benefit analysis, as necessary,\n                when significant scope changes occur.\n\n         \xe2\x80\xa2 Implement and maintain systems that comply substantially\n           with Federal financial management system requirements.\n           Specifically, systems are to be integrated with existing\n           systems and should automate HR management activities,\n           such as position management and classification,\n           recruitment and staffing, and work force deployment.\n\n         \xe2\x80\xa2 Implement security measures to protect confidential and\n           sensitive data in computer systems. Agencies are required\n           to prepare risk assessments to estimate the potential losses\n           to which systems are exposed, evaluate the threats, and\n           select from safeguard alternatives on the basis of cost\n           justification.\n\n\n\n\nPage 8                                               Details of Finding\n\x0cPlanning and System    CHRIS development and implementation efforts have been adversely\nDevelopment Issues     affected because the Department did not adhere to certain project\n                       planning requirements and generally accepted best practices for system\n                       development projects as required by the Clinger-Cohen Act of 1996.\n                       For example, while the Department had developed high-level project\n                       plans, the supporting schedules necessary to manage and direct project\n                       implementation were insufficiently detailed. The schedules did not\n                       consistently define the goals and key deliverables for each phase of the\n                       project, the necessary resources, and the intermediate project\n                       milestones, including management and technical reviews. The\n                       Department also had not performed a risk assessment to identify\n                       vulnerabilities and mitigate risks prior to preparing the CHRIS security\n                       plan. Despite project delays, cost increases and substantial project\n                       scope changes, the CHRIS cost/benefit analysis and its strategic project\n                       plan were never revised.\n\n                       In addition, a lack of specific performance measures for each phase of\n                       the CHRIS project also impacted the Department\'s implementation\n                       effort. While the Department had established certain performance\n                       measures related to CHRIS as required by the Government Performance\n                       and Results Act (GPRA) of 1993, such measures addressed high-level\n                       goals such as the elimination of paper processes and were not\n                       specifically directed to development and implementation activities. The\n                       lack of specific, quantifiable goals related to key deliverables for each\n                       phase of the project deprived management of the ability to adequately\n                       monitor progress. Without such goals, project management and\n                       high-level management officials could not maintain visibility over the\n                       substantial schedule slippages and cost increases associated with the\n                       project.\n\nCHRIS Implementation   Despite the investment of about $11.6 million in development and\nStatus                 acquisition costs and over four years of effort, the Department had not\n                       fully implemented CHRIS. Key components such as payroll, time and\n                       attendance, and labor distribution had not been implemented. In\n                       addition, the Department had no immediate plans to implement other\n                       planned system features such as awards tracking and appraisal\n                       processing. The Department anticipates that the full implementation of\n                       CHRIS, consisting of an integrated HR/Payroll system, will not be\n                       completed until fiscal year 2005, six years later than originally\n                       forecasted. Total cost estimates have also increased substantially, from\n                       $8 million to $20.4 million, an increase of 155 percent over original\n                       estimates. Because of implementation delays and projected cost\n                       overruns, it is unlikely that the Department will achieve its original\n                       estimate of approximately $9.6 million in savings over six years.\n\n\nPage 9                                                                      Details of Finding\n\x0c                   As indicated in our recent report on corporate-level systems, we support the\n                   deployment of such systems as a method of promoting efficiencies and\n                   eliminating duplicative, site-specific information systems. While we\n                   recognize that there are many challenges associated with the\n                   implementation of major commercial off-the-shelf applications, adherence\n                   to systems development requirements and best practices is essential for\n                   successful deployment. We have proposed recommendations that we\n                   believe will aid the Department in satisfying its objective of deploying a\n                   fully integrated human resources/payroll system.\n\n\nRECOMMENDATIONS    To help ensure successful completion of the CHRIS project, we\n                   recommend that the Chairperson for the Executive Committee for\n                   Information Management require the:\n\n                       1. Completion of systems development and implementation activities\n                          necessary to ensure project completion, including:\n\n                                \xe2\x80\xa2 Preparation of an updated strategic project plan\n                                  establishing specific performance measures, with\n                                  associated deliverables, for completion of all remaining\n                                  CHRIS development and implementation tasks;\n\n                                \xe2\x80\xa2 Preparation of an updated cost/benefit analysis;\n\n                                \xe2\x80\xa2 Accurate accounting of all project costs; and\n\n                                \xe2\x80\xa2 Correction of the various computer security weaknesses\n                                  identified.\n\n                       2. Establishment of specific, quantifiable goals for key deliverables in\n                          all project phases, as required by GPRA.\n\n\nMANAGEMENT         Management generally concurred with the findings and recommendations,\nREACTION           and described corrective actions designed to address the conditions\n                   described in the report. Management\'s comments have been included in\n                   their entirety in Appendix 3.\n\n\nAUDITOR COMMENTS   Management\'s comments are generally responsive to our recommendations.\n\n\n\n\nPage 10                                                             Recommendations and\n                                                                    Comments\n\x0cAppendix 1\n\n\nSCOPE         The audit was performed between February and November 2000 at\n              Departmental Headquarters in Washington, D.C. and Germantown,\n              Maryland; the National Energy Technology Laboratory in Morgantown,\n              West Virginia and Pittsburgh, Pennsylvania; the Office of Personnel\n              Management; and the National Institutes of Health. We evaluated the\n              project\'s goals and objectives, examined how the CHRIS system\n              development and implementation project was carried out, and examined\n              opportunities for improving the planning and implementation of the project.\n              We also reviewed system security and measured data accuracy by\n              examining CHRIS data from December 1999 and February 2000.\n\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                   \xe2\x80\xa2 Reviewed applicable laws and regulations pertaining to system\n                     development, including system requirements published by the\n                     Joint Financial Management Improvement Program. We also\n                     reviewed reports by the Office of Inspector General, the General\n                     Accounting Office, and various task forces and advisory groups.\n\n                   \xe2\x80\xa2 Reviewed best practices contained in guidance issued by the Office\n                     of Management and Budget, the National Institute of Standards\n                     and Technology, the General Accounting Office, the Carnegie\n                     Mellon University Software Engineering Institute, and others.\n\n                   \xe2\x80\xa2 Reviewed numerous documents related to the development and\n                     implementation of CHRIS, including the Strategic Information\n                     Management Project Results and Business Case Analysis and the\n                     Project Plans.\n\n                   \xe2\x80\xa2 Held discussions with program officials and personnel from\n                     numerous Departmental offices, including the Office of Chief\n                     Information Officer, the Office of Chief Financial Officer, and the\n                     Office of Management and Administration.\n\n                   \xe2\x80\xa2 Held discussions with various officials, staff, and contract\n                     personnel at the National Energy Technology Laboratory.\n\n                   \xe2\x80\xa2 Held discussions with officials of the Office of Personnel\n                     Management and reviewed the automated time and attendance\n                     system used by the National Institutes of Health.\n\n\n\n\nPage 11                                                       Scope and Methodology\n\x0c          We used advanced audit techniques to assess data reliability and network\n          security. We obtained CHRIS data in electronic form and used computer\n          assisted audit techniques to identify anomalies. We also compared selected\n          CHRIS data elements to source documents at Departmental Headquarters in\n          Washington, D.C. and Germantown, Maryland. While we did note some\n          data inaccuracies, we determined that the data was sufficiently reliable for\n          the purposes of our audit. Scanning software was used to determine\n          whether the networks on which CHRIS operated were vulnerable to\n          penetration by malicious or unauthorized users. Our limited tests\n          determined that the networks had some minor vulnerabilities and we shared\n          this information with the CHRIS project team.\n\n          The audit was conducted in accordance with generally accepted\n          Government auditing standards for performance audits and included tests of\n          internal controls and compliance with laws and regulations to the extent\n          necessary to satisfy the audit objective. Accordingly, we assessed internal\n          controls regarding the development and implementation of automated\n          systems. Because our review was limited, it would not necessarily have\n          disclosed all internal control deficiencies that may have existed at the time\n          of our audit. Management officials waived a formal exit conference.\n\n\n\n\nPage 12                                                    Scope and Methodology\n\x0cAppendix 2\n\n                        RELATED OFFICE OF INSPECTOR GENERAL,\n                    GENERAL ACCOUNTING OFFICE, AND OTHER REPORTS\n\n    This review concerned the Department\'s efforts to design and implement the CHRIS system.\n    Prior related Office of Inspector General, General Accounting Office, and other reviews include:\n\n          \xe2\x80\xa2   Corporate and Stand-Alone Systems Development, (DOE/IG-0485, September 2000).\n              Duplicative and redundant information systems existed or were under development at\n              virtually all organizational levels within the Department. Despite efforts to implement\n              several corporate level applications, such as CHRIS, many organizations continued to\n              invest in custom or site-specific development efforts that duplicated corporate\n              functionality. The Department has been unable to control development and eliminate\n              duplicative systems because it has not fully developed and implemented an application\n              software investment strategy. As a result, the Department has spent at least\n              $38 million on duplicative information systems.\n\n          \xe2\x80\xa2   Unclassified Computer Network Security at Selected Field Sites, (DOE/IG-0459,\n              February 2000). Six Departmental sites had significant internal or external\n              weaknesses that increased the risk that their unclassified computer networks could be\n              damaged by malicious attack. The OIG pointed out the need for correcting\n              vulnerabilities found and establishing specific goals and performance measures for\n              improving the level of unclassified computer security relating to network operations.\n\n          \xe2\x80\xa2   Audit of the Department\'s Integrated Payroll/Personnel System, (AP-FS-97-01,\n              May 1997). The report noted that there were limitations in the controls over the storage\n              of magnetic media and that access to the system was not sufficiently monitored. Based\n              on known deficiencies in the system, the Department planned to obtain human\n              resources information services from another Federal agency via cross-servicing\n              agreements.\n\n          \xe2\x80\xa2   Audit of Selected Aspects of the Unclassified Computer Security Program at a DOE\n              Headquarters Computing Facility, (AP-B-95-02, July 1995). The report stated that\n              weaknesses in the computer security program at Headquarters increased the risk of\n              unauthorized disclosure or loss of sensitive data, including data residing on\n              PAY/ PERS. These weaknesses occurred because a risk assessment had not been\n              performed on the facility and security officials had not adequately monitored activities on\n              the systems within the facility.\n\n          \xe2\x80\xa2   Information Technology: Selected Agencies\' Use of Commercial Off-the-Shelf Software\n              for Human Resources Functions, (GAO/AIMD-00-270, July 2000). The report examined\n              five agencies\' projects in implementing commercial off-the-shelf software to improve\n              their HR functions. The report cited expected quantifiable and non-quantifiable benefits\n              reported by the agencies. However, four of the five agencies\' projects have encountered\n              delays and three agencies have increased their project cost estimates.\n\n\nPage 13                                                                                    Prior Reports\n\x0c          \xe2\x80\xa2   Information Security: Software Change Controls at the Department of Energy, (GAO/\n              AIMD-00-189R, June 2000). GAO\'s letter stated that, among other things, contractor\n              personnel involved in the Department\'s software change control process did not routinely\n              receive background screenings at all Departmental components. GAO recommended that\n              the Department review its software change control process and implement any needed\n              changes.\n\n          \xe2\x80\xa2   Department of Energy: Need to Address Longstanding Management Weaknesses, (GAO/\n              T-RCED-99-255, July 1999). GAO highlighted systemic problems with respect to project\n              management in the Department. For example, GAO testified that the Department\n              conducted 80 projects from 1980 through 1996 that were designated as "major system\n              acquisitions." GAO pointed out that 31 of the projects had been terminated before\n              completion after expenditures of over $10 billion. Only 15 of the projects were completed\n              and most of them were finished behind schedule and with cost overruns.\n\n          \xe2\x80\xa2    Department of Energy: Better Information Resources Management Needed to Accomplish\n               Missions, (GAO/IMTEC-92-53, September 1992). GAO stated that the Department\n               wasted resources developing and operating systems that overlapped or duplicated existing\n               information systems. This practice is wasteful because the agency spends funds to\n              develop and operate systems that perform the same or similar functions.\n\n          \xe2\x80\xa2   Improving Project Management in the Department of Energy, National Research Council\n              (1999). The study stated that the Department had extensive project management\n              weaknesses primarily attributable to the Department\'s culture, which fostered a\n              decentralized organization structure. The study cited, among other things, a general lack\n               of accountability and unclear lines of authority in the Department\'s project management.\n              The study also noted that major projects require consistent and focused management\n               attention.\n\n\n\n\nPage 14                                                                               Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 15      Management Comments\n\x0cPage 16   Management Comments\n\x0cPage 17   Management Comments\n\x0cPage 18   Management Comments\n\x0c                                                                IG Report No. : DOE/IG-0494\n\n                             CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the back\nof this form, you may suggest improvements to enhance the effectiveness of future reports.\nPlease include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been\n   included in this report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have\nany questions about your comments.\n\nName _____________________________            Date __________________________\n\nTelephone _________________________           Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                              Office of Inspector General (IG-1)\n                                    Department of Energy\n                                   Washington, DC 20585\n\n                                 ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0c  The Office of Inspector General wants to make the distribution of its reports as customer\nfriendly and cost effective as possible. Therefore, this report will be available electronically\n                  through the Internet at the following alternative address:\n\n\n             U.S. Department of Energy Office of Inspector General Home Page\n                                 http://www.ig.doe.gov\n\x0c'